WAN1 and WAN2 will be connected on the main OPN hardware , WAN1 will be offering a VPN site to site and also VPN for users using two factor authentication. also will be the ip for the internetWAN2 will be the mx records of the internal mail server.

i want to configure the second hardware WAN3/WAN4 as a failover in case the first hardware is down remote users will still be able to work.

Can someone please advies how to configure this ? i've read the HA CARPS can do the job but not sure if it does apply in my senario.

A OpenVPN client connection can be configured with multiple 'remote' lines. Normal behaviour is for it to attempt a connection starting with the first line, and work its way down until it connects.

The remote-random option will randomise this sequence, and the remote-random-hostname will add a random subdomain to the FQDN of the server, to stop the client's resolver from caching the server's name to allow for DNS load balancing.

These are client options which you'll need to add to each user's profile. Naturally, the OpenVPN man page is compulsory reading